No matter the size of a business, it faces the risk of a cyberattack. Over 50% of organisations experienced a cyberattack. And while proactive protection is ideal, there is no silver bullet when it comes to security—meaning you should plan for incident response as well. Yet, 63% of C-level executives in the US do not have an incident response plan, according to a report by Shred-It.
That’s where an incident response team comes into play. This article provides a high-level overview of incident response services and planning, as well as tips to make an informed vendor choice.
What are incident response services?
Incident response is a set of information security policies and procedures that can be leveraged to detect, respond, and eliminate cyberattacks. The goal is to minimise the scope of an attack and improve recovery time by conducting forensic analysis. In turn, businesses can achieve a higher level of cybersecurity maturity by analysing the cause of the breach to strengthen their systems against future incidents.
There are three main types of incident response teams which vary slightly:
- Computer security incident response team (CSIRT): Handles computer security incidents with a cross-functional business team.
- Computer emergency response team (CERT): Focuses on partnerships with government, law enforcement, academia, and industry.
- Security operations centre (SOC): Responsible for directing the incident response plan in addition to other general security tasks.
A typical incident response team is composed of a manager (team leader), communications liaison (coordinator), a lead investigator, analysts, researchers, and legal representatives. Organisations can build their own in-house incident response team or leverage a third-party service.
Given the large cybersecurity skills gap, hiring and training staff may be a challenge, more businesses are opting for a third-party incident response service. Global Incident Response Service Market research report forecasts that the incident response market will grow by nearly 20% between 2022-2028.
Creating an incident response playbook
Some services will offer to create an incident response playbook or plan. But to truly optimise a service, CISOs/security leaders should own the playbook because they know their risk, operational flows, and security needs best.
Establishing an incident response playbook will surface any security gaps to address, thereby enhancing your cybersecurity posture. It can also help enterprises obtain/renew cyber insurance coverage as carriers are looking for demonstrated cyber maturity.
Below are helpful resources to get started:
Incident Response Playbook Examples
|National Cyber Incident Response Plan||Federal Government||- Roles and responsibilities
- Core capabilities
- Coordinating structures and integration
|Michigan State Government||State Government||- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
|Weill Cornell Medicine||Education||- Principles
- Reporting an Incident
- Identifying an Incident
- Declaring an Incident
- Coordinating a Response to an Incident
- Remediating an Incident
- Closing an Incident
|Cone Health||Healthcare||- Scope and Goals
- Incident Discovery/Notification
- Incident Response Process
- Incident Response Training and Evaluation
- Document Retention, Exception Management, Applicability, and Compliance
|University of Wisconsin Oshkosh – Payment Card Security||Finance||- Procedures
- Flow Chart for Suspected Breach
- Symptoms of Data Breaches
- Card Association Breach Response Plans
- Incident Classification, Risk Analysis, and Action Matrix
|North American Electric Reliability Corporation (NERC)||Critical National Infrastructure||- Requirements and Measures
Incident Response Playbook Templates
|National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide||General|
|Tennessee Department of Treasury||State Government|
|Incident Response Plan for a Small to Medium Sized Hospital||Healthcare|
|Bank of America – Creating a Cyber Response Plan||Finance|
|A Framework to Support ICS Cyber Incident Response and Recovery||Critical National Infrastructure|
Choosing an IR vendor
After establishing a thorough incident response playbook/plan, organisations can choose the right fit, instead of plugging in a team and hoping their capabilities mesh with your needs. More general considerations include:
Know the bottom line
Pricing structures vary, and hidden costs can sneak up on you. Weekend or 24/7 support are usually an add-on. Some vendors will charge you in 100-hour blocks, meaning if they need even one hour outside of that block, you won’t receive a detailed incident report.
Other vendors will charge you by machine blocks. For example, the starting price may be for 500 machines, so even if you only have 300 machines, you still must pay for 500. There are also vendors that charge by the day, regardless of the number of people or machines a business has. Make sure the pricing structure fits your needs and expectations.
Understand the capabilities
What can they offer you from a support side? Are they just threat hunters or are they providing end-to-end services? How long have they been performing incident response? Determine the range of experience and capability in resolving incidents such as: advanced persistent threats (APT) and cyberespionage, incidents involving current/former staff, denial-of-service/distributed denial-of-service (DoS/DDoS) attacks, intellectual property, credit cardholder information, private information, etc. Look into certifications held by the team as well as references.
It’s great to have an incident response team on retainer, but will they show up when you need them? Most incident response work is on-demand, and they may not have the manpower to help when you need it.
Consider a vendor that offers managed solutions with built-in incident response support to ensure availability. This will also alleviate in-house staff from cumbersome managed detection and response while ensuring the incident response team is keyed into the latest threat intelligence and research.
Proactive protection should remain a focus for organisations, but the reality is that nothing is 100% secure. Make sure you establish a strong incident response playbook before choosing a vendor to ensure your security needs are being met. For more information on cyber risk management, check out the following resources:
- Cyber Security Managed Services 101
- Attack Surface Management Strategies
- Top Five Patch Management & Process Best Practices